External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-07 18:35:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add a 'mac' chain

Browse Source 
With hunks borrowed from one of David Steven's previous patches, we now
add the capability of having a 'mac' chain which is useful to filter
for multiple valid MAC addresses.

Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This commit is contained in:
Stefan Berger 2011-11-22 15:12:03 -05:00 committed by Stefan Berger
parent aa69441cba
commit af37ce3dc7
4 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/schemas/nwfilter.rng
View File

@ -296,6 +296,9 @@
<attribute name="chain">
<choice>
<value>root</value>
<data type="string">
<param name="pattern">mac[a-zA-Z0-9_\.:-]{0,9}</param>
</data>
<data type="string">
<param name="pattern">vlan[a-zA-Z0-9_\.:-]{0,8}</param>
</data>

2
src/conf/nwfilter_conf.c
View File

@ -82,6 +82,7 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, VIR_NWFILTER_EBTABLES_TABLE_LAST,
VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
"root",
"mac",
"vlan",
"arp",
"rarp",
@ -128,6 +129,7 @@ struct int_map {
static const struct int_map chain_priorities[] = {
INTMAP_ENTRY(NWFILTER_ROOT_FILTER_PRI, "root"),
INTMAP_ENTRY(NWFILTER_MAC_FILTER_PRI, "mac"),
INTMAP_ENTRY(NWFILTER_VLAN_FILTER_PRI, "vlan"),
INTMAP_ENTRY(NWFILTER_IPV4_FILTER_PRI, "ipv4"),
INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, "ipv6"),

2
src/conf/nwfilter_conf.h
View File

@ -378,6 +378,7 @@ enum virNWFilterEbtablesTableType {
# define NWFILTER_MAX_FILTER_PRIORITY MAX_RULE_PRIORITY
# define NWFILTER_ROOT_FILTER_PRI 0
# define NWFILTER_MAC_FILTER_PRI -800
# define NWFILTER_VLAN_FILTER_PRI -750
# define NWFILTER_IPV4_FILTER_PRI -700
# define NWFILTER_IPV6_FILTER_PRI -600
@ -456,6 +457,7 @@ struct _virNWFilterEntry {
enum virNWFilterChainSuffixType {
VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
VIR_NWFILTER_CHAINSUFFIX_MAC,
VIR_NWFILTER_CHAINSUFFIX_VLAN,
VIR_NWFILTER_CHAINSUFFIX_ARP,
VIR_NWFILTER_CHAINSUFFIX_RARP,

23
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -188,6 +188,7 @@ enum l3_proto_idx {
L3_PROTO_IPV6_IDX,
L3_PROTO_ARP_IDX,
L3_PROTO_RARP_IDX,
L2_PROTO_MAC_IDX,
L2_PROTO_VLAN_IDX,
L3_PROTO_LAST_IDX
};
@ -205,6 +206,7 @@ static const struct ushort_map l3_protocols[] = {
USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP , "arp"),
USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
USHORTMAP_ENTRY_IDX(L2_PROTO_VLAN_IDX, ETHERTYPE_VLAN , "vlan"),
USHORTMAP_ENTRY_IDX(L2_PROTO_MAC_IDX, 0 , "mac"),
USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0 , NULL),
};
@ -2806,11 +2808,26 @@ ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
char chainPrefix = (incoming) ? CHAINPREFIX_HOST_IN_TEMP
: CHAINPREFIX_HOST_OUT_TEMP;
char *protostr = NULL;
PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
PRINT_CHAIN(chain, chainPrefix, ifname,
(filtername) ? filtername : l3_protocols[protoidx].val);
switch (protoidx) {
case L2_PROTO_MAC_IDX:
protostr = strdup("");
break;
default:
virAsprintf(&protostr, "-p 0x%04x ", l3_protocols[protoidx].attr);
break;
}
if (!protostr) {
virReportOOMError();
return -1;
}
virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -F %s") CMD_SEPARATOR
CMD_EXEC
@ -2819,7 +2836,7 @@ ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
CMD_EXEC
"%s"
CMD_DEF("%s -t %s -%%c %s %%s -p 0x%x -j %s")
CMD_DEF("%s -t %s -%%c %s %%s %s-j %s")
CMD_SEPARATOR
CMD_EXEC
"%s",
@ -2831,10 +2848,12 @@ ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
CMD_STOPONERR(stopOnError),
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
rootchain, l3_protocols[protoidx].attr, chain,
rootchain, protostr, chain,
CMD_STOPONERR(stopOnError));
VIR_FREE(protostr);
if (virBufferError(&buf) ||
VIR_EXPAND_N(tmp, count, 1) < 0) {
virReportOOMError();